As cyber threats increase, cyber insurance ‘trapdoors’ could scare off buyers in need of coverage
Let the buyer beware
Many corporate buyers appear to be losing sleep over the lack of clarity and certainty in cyber insurance coverage as digital exposures proliferate, judging from the attention devoted to such concerns during the recent Risk and Insurance Management Society (RIMS) annual conference, and that was before a global wave of ransomware attacks in mid-May demonstrated the vulnerability of organizations large and small.
May 15, 2017
A blog post by Sam Friedman, Insurance research leader, Deloitte Services LP
Indeed, caveat emptor—let the buyer beware—seemed to be the unofficial theme of the numerous cyber seminars taking up a large portion of the event’s extensive educational program. During one heavily attended session after another, risk managers, attorneys, brokers, and consultants warned how challenging it would likely be to secure sufficient and reliable cyber coverage in this promising but problematic market.
Insurers have a lot on the line here since cyber appears to be one of the industry’s biggest opportunities for genuine growth. With new cyber risks manifesting themselves all the time, rising demand for coverage solutions could offer insurers a chance to expand the overall property-casualty premium pie, rather than keep fighting one another for a bigger slice of what’s already available via more routine exposures. However, predictions of an exponentially expanding market are unlikely to be realized unless insurers can offer their clients true peace of mind about the rising cyber threat to their people, property, and bottom lines.
During the RIMS conference, the titles of a few of the sessions provided not-so-subtle hints of what’s keeping risk managers up at night. One focused on “Protecting your board directors and executives from a cyber nightmare.” Another related “tales from the cyber trenches,” offering tips on how to avoid having claims rejected. Buyers were warned about potential “trapdoors” and “landmines” in policies that could leave a company exposed if their risk manager doesn’t cross every “t” and dot every “i” while negotiating coverage for this rapidly evolving risk.
With new cyber risks manifesting themselves all the time, rising demand for coverage solutions could offer insurers a chance to expand the overall property-casualty premium pie, rather than keep fighting one another for a bigger slice of what’s already available.
A trip into the unknown?
Based on all the nervous chatter at the conference, it appears that cyber insurance could be a potentially hazardous trip into the unknown, with many buyers and sellers still on a steep learning curve in part because policy terms and conditions are largely untested—and not just for new stand-alone policies. Standard property and casualty coverages—including directors and officers, professional liability, and business interruption—are often “silent” on cyber risks, not explicitly stating whether or not policyholders are insured for such emerging risks. The result may be a mismatch of expectations that could prompt cyber claims disputes down the road while stunting the growth of this nascent market until such fundamental uncertainties are settled.
To avoid coverage misunderstandings, buyers were encouraged to run cascade scenarios and conduct gap analyses assessing how their risk management and insurance programs might respond in a cyber crisis. Another precaution might be to purchase wrap-around coverage as a supplement to current policies that are silent on cyber risks, rather than assume such exposures are already included.
One other key takeaway echoed repeatedly during the RIMS conference is that cyber security is not “just” a tech problem. Instead, it’s a classic enterprise risk management challenge. That’s because cyber exposures can put an entire operation at risk, affecting people and property, undermining a company’s reputation and stock price, as well as creating regulatory compliance issues. A single attack can prompt claims under multiple policies. Risk managers should therefore engage with leaders across their organization, including IT, legal, operations, and talent, to make sure they are covered if worst comes to worst.
Last but not least, brokers were often cited as key players in the cyber risk process, and not just to help identify potential gaps and compare coverage options. Some spoke about brokers providing unofficial “sleep insurance” for buyers, under the theory that errors and omissions coverage might offer some relief if a client is left exposed because of an oversight on the intermediary’s behalf.
By the end of the three-day conference, risk managers attending the RIMS cyber sessions had likely been scared straight, not only about the potential consequences of suffering a breach, but also of inadvertently being left uninsured. Working with their surrogates—the beleaguered chief information security officers—risk managers have the unenviable task of securing a company’s data and operating systems, remaining vigilant in the face of an ever-widening range of attacks, and being resilient to recover quickly in case of an incident.
A big part of resilience usually involves transferring risk to insurers. This is how risk managers routinely handle other standard property and liability exposures, but from what I observed at RIMS and learned from my own research, cyber risk is anything but routine at the moment. The lack of clarity and certainty could make cyber insurance a harder sell than it should be for such a highly publicized exposure, while perhaps driving buyers into alternative risk-transfer vehicles, such as self-insured captives, risk retention groups, and capital market securitization.
What do you think?
How might insurers go about overcoming these and other obstacles hindering the cyber market’s development? For additional insights, see the research report I recently published on Deloitte Insights, co-authored by my colleague, Adam Thomas, a principal in Deloitte’s Cyber Risk Services team, on “Demystifying Cyber Insurance”.
QuickLook is a weekly blog from the Deloitte Center for Financial Services about technology, innovation, growth, regulation, and other challenges facing the industry. The opinions expressed in QuickLook are those of the authors and do not necessarily reflect the views of Deloitte.